MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Smoke Loader


Vendor detections: 14


Intelligence 14 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7
SHA3-384 hash: 093c7f0b91f6cdae2d7a681d29c0fac96e544ce66e42c021cccabf6e3139eb536c837d4c11990edb46bb5ef1dfe30bb1
SHA1 hash: 9cac9a2e0f3a0d3e0b9ede83f7cde39860c1ac96
MD5 hash: 5ccc064218d48040cb306d30cbd83079
humanhash: mirror-mississippi-delaware-johnny
File name:5ccc064218d48040cb306d30cbd83079
Download: download sample
Signature Smoke Loader
Create hunting rule
File size:31'744 bytes
First seen:2023-03-20 16:12:49 UTC
Last seen:2023-03-20 18:31:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:WiMZKaKumgcFAPoSqToaLgc3bpEQk1YAlaLhvx1Y5dT4n18kjft:WNkgSLLg6pUYAlghvs38+2f
Threatray 32 similar samples on MalwareBazaar
TLSH T19CE2A404A7A4CA29F91B3A746CA717700F7AEDCB8812EB5F4C0478DE6D76384C9113D6
TrID 71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.2% (.EXE) Win64 Executable (generic) (10523/12/4)
6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.3% (.EXE) Win32 Executable (generic) (4505/5/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
File icon (PE):PE icon
dhash icon 72690d69690d6972 (8 x AgentTesla, 6 x Smoke Loader, 2 x PureCrypter)
Reporter zbetcheckin
Tags:32 exe Smoke Loader

Intelligence

File Origin
# of uploads :
2
# of downloads :
240
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
smoke
Create hunting rule
ID:
1
File name:
5ccc064218d48040cb306d30cbd83079
Verdict:
Malicious activity
Analysis date:
2023-03-20 16:12:57 UTC
Tags:
loader smoke trojan
Link:
https://app.any.run/tasks/32002fac-7e23-4a8f-9198-98f6ea963851

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
SmokeLoader
Create hunting rule
Link:
https://www.capesandbox.com/analysis/375975/
Detection(s):
SecuriteInfo.com.Win32.DropperX-gen.25498.15730.UNOFFICIAL
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Сreating synchronization primitives
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/6418860fe91ddba083cec406/reports/5db2f0b6-30a0-4679-b470-5ca286be5ce8/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_70%
Link:
https://www.hybrid-analysis.com/sample/383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/1e9c5ba2-ecba-4c02-ac5f-f67b77f559fa
Result
Threat name:
SmokeLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1197898
Signature
Antivirus detection for URL or domain
Benign windows process drops PE files
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if the current machine is a virtual machine (disk enumeration)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected Generic Downloader
Yara detected SmokeLoader
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 830799 Sample: Q5mRnbHQK2.exe Startdate: 20/03/2023 Architecture: WINDOWS Score: 100 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 4 other signatures 2->50 7 Q5mRnbHQK2.exe 15 5 2->7         started        12 wjgefdt 14 3 2->12         started        process3 dnsIp4 38 amandamuggleton.com.au 116.0.23.217, 49707, 49711, 80 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 7->38 32 C:\Users\user\AppData\...\Q5mRnbHQK2.exe.log, ASCII 7->32 dropped 52 Encrypted powershell cmdline option found 7->52 54 Injects a PE file into a foreign processes 7->54 14 Q5mRnbHQK2.exe 7->14         started        17 powershell.exe 16 7->17         started        19 Q5mRnbHQK2.exe 7->19         started        56 Machine Learning detection for dropped file 12->56 21 powershell.exe 12->21         started        file5 signatures6 process7 signatures8 66 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 14->66 68 Maps a DLL or memory area into another process 14->68 70 Checks if the current machine is a virtual machine (disk enumeration) 14->70 72 Creates a thread in another existing process (thread injection) 14->72 23 explorer.exe 1 3 14->23 injected 28 conhost.exe 17->28         started        30 conhost.exe 21->30         started        process9 dnsIp10 40 cletonmy.com 172.105.103.207, 80 LINODE-APLinodeLLCUS United States 23->40 42 alpatrik.com 109.206.243.15, 49712, 80 AWMLTNL Germany 23->42 34 C:\Users\user\AppData\Roaming\wjgefdt, PE32 23->34 dropped 36 C:\Users\user\...\wjgefdt:Zone.Identifier, ASCII 23->36 dropped 58 System process connects to network (likely due to code injection or exploit) 23->58 60 Benign windows process drops PE files 23->60 62 Deletes itself after installation 23->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->64 file11 signatures12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7/
Threat name:
ByteCode-MSIL.Trojan.SmokeLoader
Create hunting rule
Status:
Malicious
First seen:
2023-03-20 16:06:40 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
19 of 24 (79.17%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ha3sjr5fosgd2rxhn7ypnzocmim63rfwkcelvvio6guguqxkdhtq._file
Verdict:
malicious
Similar samples:
033deaaa0a55c91052dfe7abc3aaf77b5310d26437330e402a102d060ae0ace9
Smoke Loader
25605527f20f5d35b60f8e73fd14ddbcb376f8409606f692faf35d9c1c39c642
Smoke Loader
2a7a933f275e67cb1c68c54377e6b21510d7e4819514cfdf4311bf5b337fe8ac
Smoke Loader
2e88105d979bfbe65b2ed9322114fc21ef9e1fdb324a63d6198defd1e976d36e
Smoke Loader
4651352b505fae7173a67ed85a7183925d85837d522b827cace147187ff8f43a
Smoke Loader
47d56868d1577e5599d2f000c08875bb73492d055f73f4c7f5ca747d13b6410a
Smoke Loader
65cc1ea27c733c270dd0497ed9c99896baf50eeafa5e1200889557985bfd87d5
Smoke Loader
775d65422f55e1dab6d5fcafa72f326dfe50615da31b1b5f5e41067fb13cb7f0
Smoke Loader
a444e2b7c6bb38ad76ed18be349777996bcb98cf37f8172e5eb1feef139e54ca
Smoke Loader
cfb6e2cc273660a6f3b104976a898f96a3e900fc00eb000be59e6e0b86e9e376
Smoke Loader
+ 22 additional samples on MalwareBazaar
Result
Malware family:
smokeloader
Create hunting rule
Score:
  10/10
Tags:
family:smokeloader backdoor trojan
Link:
https://tria.ge/reports/230320-tn3njaed29/
Behaviour
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Enumerates physical storage devices
Suspicious use of SetThreadContext
Checks computer location settings
SmokeLoader
Malware Config
C2 Extraction:
http://cletonmy.com/
http://alpatrik.com/
Unpacked files
SH256 hash:
383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7
MD5 hash:
5ccc064218d48040cb306d30cbd83079
SHA1 hash:
9cac9a2e0f3a0d3e0b9ede83f7cde39860c1ac96
Link:
https://www.unpac.me/results/e346c51e-3dd0-416c-a8da-e7b421268c06/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/383724c7a574/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Smoke Loader

Executable exe 383724c7a5748c3d46e76ff0f6e5c26219edc4b65088bad50ef1a86a42ea19e7

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/2578679/
Cape
Cape
https://www.capesandbox.com/analysis/375975/

Comments


Avatar
zbet commented on 2023-03-20 16:12:57 UTC

url : hxxp://107.172.4.171/191/vbc.exe